In the earliest days of computing (in other words, the times when machines ran on punch cards and took up entire rooms), cybersecurity was as simple as watching who was handling the cards. When computers shrunk to the size of terminals in the late ’70s, it became about controlling access to the physical location of those machines. With the advent of the internet, however, bad actors discovered countless ways to attack IT — and cybersecurity efforts never caught up.
In many ways, we’re still trapped in the mindset that cybersecurity is a secondary feature. Instead of being built in to products from the earliest days of development, the attitude is often to bolt on cybersecurity when or where it’s necessary. That might have worked in the past when threats were small and rare. However, as recent events illustrate, that era is long over, and custom-built applications without built-in security are left vulnerable.
The recently uncovered SolarWinds attack exposed many U.S. government agencies; it will take years to fully understand the magnitude of the effects. Just as alarming as how many different agencies failed — and how many cybersecurity measures failed in the process — was the fact that experts only discovered the attacks after hackers accidentally exposed themselves. Were it not for this uncharacteristic mistake, the attack could have continued indefinitely. This is every agency’s worst nightmare.
This isn’t the only instance of a very concerning data breach: One example from Florida revealed that all the members of a state emergency management system used the same login credentials. Likewise, small government agencies are increasingly the victims of high-stakes ransomware attacks.
Now that hacking has become very lucrative (and in some cases, an endeavor backed by foreign governments with geopolitical motivations), attacks are getting worse and varying in frequency, sophistication, cost, scale, and so forth.
Clearly, cybersecurity strategies and governance need to become top priorities as agencies undergo their digital transformation journeys. As agencies at all levels ask themselves how to protect against cybersecurity attacks in 2021 and beyond, they should keep the following maxims in mind.
Among the outdated ideas that persist around cybersecurity for local governments (and even state and federal agencies) is the belief that cybersecurity isn’t worth the investment.
That was once true. When attacks involved a few machines, minimal amounts of data, and small disruptions, it made sense to invest lightly in cybersecurity. However, successful attacks now cost far more than prevention. Consider that some ransomware gangs plan to demand 10% of a victim’s budget to decrypt data, which would be catastrophic for any agency.
Refusing to pay such ransoms doesn’t appear any better: The City of Atlanta spent over $2.5 million to restore data when hackers wouldn’t do so themselves. Whether it’s because they’re easier to attack than large corporations or more likely to pay, government agencies will continue to be a common target for ransomware attacks. Knowing how much a single attack can cost, agencies need to update how they think about the costs and benefits of cybersecurity.
Today’s attacks have never been so clever or so varied, and hackers have a deep well of known attacks from which to draw. More alarming, novel attacks built to bypass existing defenses are being built all the time. The best government cybersecurity strategies understand the goal of the adversary and respect their adept skills, which is to exploit each and every weak point.
Consider, for example, a casino that hackers compromised after finding an entry point through an internet-connected fish tank monitor of all things. Or the highly personalized “spear phishing” campaigns hackers use to avoid raising red flags. Everything from a third-party tool to a home network used by a remote worker could become a vulnerability — a fact hackers know well. Stopping them starts by recognizing how many targets they could choose to attack inside a government agency and how many forms the offensive could take.
Improving data governance and cybersecurity must happen at all levels of government in 2021, and this starts with some common-sense measures. Basic cyber hygiene (think systematically installing patches and updates) should be mandatory, as should policies prohibiting things such as credential-sharing. User training and education should also be a strong focus, including war-gaming exercises to build real-world skills. Above all, agencies need to bring their attitudes about cybersecurity into the reality of 2021.
If you’d like to shore up your government agency’s cybersecurity defenses in 2021, schedule a chat with the experts at Kyra Solutions.